Facebook believes the data of up to 87 million people was improperly shared with the political consultancy Cambridge Analytica – many more than previously disclosed.
The BBC has been told that about 1.1 million of them are UK-based.
The overall figure had been previously quoted as being 50 million by the whistleblower Christopher Wylie.
Facebook chief Mark Zuckerberg said “clearly we should have done more, and we will going forward”.
During a press conference he said that he had previously assumed that if Facebook gave people tools, it was largely their responsibility to decide how to use them.
But he added that it was “wrong in retrospect” to have had such a limited view.
“Today, given what we know… I think we understand that we need to take a broader view of our responsibility,” he said.
“That we’re not just building tools, but that we need to take full responsibility for the outcomes of how people use those tools as well.”
Mr Zuckerberg also announced an internal audit had uncovered a fresh problem. Malicious actors had been abusing a feature that let users search for one another by typing in email addresses or phone numbers into Facebook’s search box.
As a result, many people’s public profile information had been “scraped” and matched to the contact details, which had been obtained from elsewhere.
Facebook has blocked now blocked the facility.
“It is reasonable to expect that if you had that [default] setting turned on, that in the last several years someone has probably accessed your public information in this way,” Mr Zuckerberg said.
The estimates of how many people’s data had been exposed were revealed in a blog by the tech firm’s chief technology officer, Mike Schroepfer.
The BBC has also learned that Facebook now estimates that about 305,000 people had installed the This Is Your Digital Life quiz that had made the data-harvesting possible. The previously suggested figure had been 270,000.
About 97% of the installations occurred within the US. However, just over 16 million of the total number of users affected are thought to be from other countries.
A spokeswoman for the UK’s Information Commissioner’s Office told the BBC that it was continuing to assess and consider the evidence before deciding what steps to take.
What is the controversy about?
Facebook has faced intense criticism after it emerged that it had known for years that Cambridge Analytica had collected data from millions of its users, but had relied on the London-based firm to self-certify that it had deleted the information.
Cambridge Analytica said it had bought the information from the creator of the This Is Your Digital Life app without knowing that it had been obtained improperly.
The firm says it deleted all the data as soon as it was made aware of the circumstances.
But Channel 4 News has since reported that at least some of the data in question is still in circulation despite Cambridge Analytica insisting it had destroyed the material.
During Mr Zuckerberg’s press conference, Cambridge Analytica tweeted it had only obtained data for 30 million individuals – not 87 million – from the app’s creator, and again insisted it had deleted all records.
The latest revelations came several hours after the US House Commerce Committee announced that Facebook’s founder, Mark Zuckerberg, would testify before it on 11 April.
Facebook’s share price has dropped sharply in the weeks since the allegations emerged.
In his Wednesday blog post, Mr Schroepfer detailed new steps being taken by Facebook in the wake of the scandal.
- a decision to stop third-party apps seeing who is on the guest lists of Events pages and the contents of messages posted on them
- a commitment to only hold call and text history logs collected by the Android versions of Messenger and Facebook Lite for a year. In addition, Facebook said the logs would no longer include the time of the calls
- a link will appear at the top of users’ News Feeds next week, prompting them to review the third-party apps they use on Facebook and what information is shared as a consequence
Facebook has also published proposed new versions of its terms of service and data use policy.
The documents are longer than the existing editions in order to make the language clearer and more descriptive.
Tinder users affected
Another change the company announced involved limiting the type of information that can be accessed by third-party applications.
Immediately after the changes were announced, however, users of the widely popular dating app Tinder were hit by login errors, leaving them unable to use the service.
Tinder relies on Facebook to manage its logins. Users reported that they had been signed out of the app and were unable to log in again.
Instead, the app repeatedly asks for more permissions to access a user’s Facebook profile information. Many were quick to link the outage to the changes announced by Facebook.
The Cambridge Analytica scandal follows earlier controversies about “fake news” and evidence that Russia tried to influence US voters via Facebook.
Mr Zuckerberg has declined to answer questions from British MPs.
When asked about this by the BBC, he said he had decided that his chief technology officer and chief product officer should answer questions from countries other than the US.
He added, however, that he had made a mistake in 2016 by dismissing the notion that fake news had influenced the US Presidential election.
“People will analyse the actual impact of this for a long time to come,” he added.
“But what I think is clear at this point is that it was too flippant and I should never have referred to it as crazy.”